You can use SOAP to pass a username/password with the request. SSL should be used to encrypt the data going over the wire. Here is some code that we use:
This is a class that will hold the Credentials that are sent with the request:
Imports System.Web.Services.Protocols
Public Class ServiceCredentials
Inherits SoapHeader
Private _userName As String
Public Property UserName() As String
Get
Return _userName
End Get
Set(ByVal value As String)
_userName = value
End Set
End Property
Private _password As String
Public Property Password() As String
Get
Return _password
End Get
Set(ByVal value As String)
_password = value
End Set
End Property
Public Sub New()
End Sub
Public Sub NewUserInfo(ByVal ServiceUser As String, ByVal ServicePassword As String)
Me.UserName = ServiceUser
Me.Password = ServicePassword
End Sub
Add an attribute to the definition of your Web Service:
<WebMethod()> _
<SoapHeader("CredentialsHeader")> _
Function MyWebMethod(ByVal paremetersPassed as String)
'check permissions here
If PermissionsValid(CredentialsHeader) then
'ok!
.......
else
'throw a permission error
end if
End Function
And then from there, just create a function (in my example, PermissionsValid) to check the permissions:
Function PermissionsValid(byval Credentials as ServiceCredentials) as boolean
'check Credentials.Username and Credentials.Password here and return a boolean
End Function
This may seem like a bunch of work, but this way, when they send a request, you can check it against a database or whatever else you want. You can also turn off a username easily at your end.
A simpler way would be to restrict the IP addresses that are allowed to hit the service page. But, then you run into issues with IP addresses changing, etc.
BTW, much of this was typed as I did the post, so you may need to check over the code to make sure it compiles. :)
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…